Problems securing /tmp

N

nostromo

Verified User
Joined
Feb 28, 2007
Messages
24
Hello,

I've taken out a new VPS that I'm having a go at "securing" myself.

I used this forum to assist me with things I'm unsure about and one of those was securing the /tmp.

I found a thread here that gave a sort of guide that detailed how to secure this but I'm having issues and not sure how to proceed.

Code: 
dd if=/dev/zero of=/var/tmpMnt bs=1024 count=1000000
/sbin/mke2fs /var/tmpMnt
cd /
cp -a /tmp /tmp_backup
rm -rf /tmp/.??* /tmp/*
[B]mount -o loop,noexec,nosuid,nodev,rw /var/tmpMnt /tmp [/B] <----------

mount -o loop,noexec,nosuid,nodev,rw /var/tmpMnt /tmp did not work so altered it to:

mount -t tmpfs -o noexec,nosuid tmpfs /tmp

This appeared to work correctly so I proceeded.

Code: 
chmod 1777 /tmp
cp -a /tmp_backup/.??* /tmp_backup/* /tmp/
rm -rf /tmp_backup
echo "/var/tmpMnt   /tmp   ext2   loop,noexec,nosuid,nodev,rw   0   0" >> /etc/fstab
[B]cp -a /var/tmp/.??* /var/tmp/* /tmp[/B]

cp -a /var/tmp/.??* /var/tmp/* /tmp causes an error for me, this is as follows:

****cp: cannot stat `/var/tmp/.??*': No such file or directory
cp: cannot stat `/var/tmp/*': No such file or directory**********
Click to expand...

I have tried finding/understanding a solution to this on Google and here on the forum but have been unable.

I'd appreciate if someone could help me out as I am unsure how I fix and/or undo what I've done!

Thanks
 
I appreciate the help tomtom901

I cd'd to /var/tmp fine, ls = no files, is an empty dir.

Should I just run "cp -a /var/tmp/* /tmp" anyway?

Tom
 
[root@hub/]# cd /var/tmp
[root@hub tmp]# ls
[root@hub tmp]# cp -a /var/tmp/* /tmp
cp: cannot stat `/var/tmp/*': No such file or directory
[root@hub tmp]#
Click to expand...

The rest of the instructions after getting past this error are:

rm -rf /var/tmp
ln -s /tmp /var/tmp
cp -a /home/tmp/.??* /home/tmp/* /tmp
rm -rf /home/tmp
ln -s /tmp /var/tmp
Click to expand...

I just wanted to be sure it was correct up til this point as I don't want to mess anything up :)

Appreciate your continued help.

T.
 
is a CentOS VPS.

ls -all:

total 8
drwxrwxrwt 2 root root 4096 Oct 5 13:05 .
drwxr-xr-x 20 root root 4096 Oct 13 05:55 .
 
Got up to:

cp -a /home/tmp/.??* /home/tmp/* /tmp
Click to expand...

and error:

cp: cannot stat `/home/tmp/.??*': No such file or directory
cp: cannot stat `/home/tmp/*': No such file or directory
Click to expand...

I continued past this and now within /var/tmp

[root@hub tmp]# dir
pear tmp
[root@hub tmp]# ls -all
total 4
drwxrwxrwt 4 root root 100 Oct 16 00:04 .
drwxr-xr-x 21 root root 4096 Oct 13 05:57 ..
drwxrwxrwt 2 root root 40 Oct 6 07:28 .ICE-unix
drwxr-xr-x 4 root root 80 Oct 5 13:13 pear
lrwxrwxrwx 1 root root 4 Oct 16 00:04 tmp -> /tmp
[root@hub tmp]#
Click to expand...
 
Last edited:
I usally use this:

Code: 
#/tmp mounting by Real Websolutions

#just to make sure
cp /etc/fstab /etc/fstab.bak

#make using dd
cd /var
dd if=/dev/zero of=Tmp bs=1024 count=1024000
dd if=/dev/zero of=varTmp bs=1024 count=102400

#make an ext3 partition
mkfs -t ext3 /var/Tmp
mkfs -t ext3 /var/varTmp

#backup /tmp, mount
cd /
cp -aR /tmp /tmp_backup
mount -o loop,noexec,nosuid,rw /var/Tmp /tmp
cp -aR /tmp_backup/* /tmp/

#chmod + sticky bit
chmod 0777 /tmp && chmod +t /tmp

#backup /var/tmp, mount
cd /var/
cp -aR /var/tmp /var/tmp_backup
mount -o loop,noexec,nosuid,rw /var/varTmp /var/tmp
cp -aR /var/tmp_backup/* /var/tmp/


#chmod + sticky bit
chmod 0777 /var/tmp && chmod +t /var/tmp

#just for testing and confirmation
df -h

Add the mount to /etc/fstab
/var/Tmp        /tmp            ext3    loop,noexec,nosuid,rw   0       0
/var/varTmp     /var/tmp        ext3    loop,noexec,nosuid,rw   0       0
 
Last edited:
Protip: use a hardware partition for /tmp and just symlink /var/tmp to /tmp
 
tomtom901 said:
I usally use this:

Code: 
#/tmp mounting by Real Websolutions

#just to make sure
cp /etc/fstab /etc/fstab.bak

#make using dd
cd /var
dd if=/dev/zero of=Tmp bs=1024 count=1024000
dd if=/dev/zero of=varTmp bs=1024 count=102400

#make an ext3 partition
mkfs -t ext3 /var/Tmp
mkfs -t ext3 /var/varTmp

#backup /tmp, mount
cd /
cp -aR /tmp /tmp_backup
mount -o loop,noexec,nosuid,rw /var/Tmp /tmp
cp -aR /tmp_backup/* /tmp/

#chmod + sticky bit
chmod 0777 /tmp && chmod +t /tmp

#backup /var/tmp, mount
cd /var/
cp -aR /var/tmp /var/tmp_backup
mount -o loop,noexec,nosuid,rw /var/varTmp /var/tmp
cp -aR /var/tmp_backup/* /var/tmp/


#chmod + sticky bit
chmod 0777 /var/tmp && chmod +t /var/tmp

#just for testing and confirmation
df -h

Add the mount to /etc/fstab
/var/Tmp        /tmp            ext3    loop,noexec,nosuid,rw   0       0
/var/varTmp     /var/tmp        ext3    loop,noexec,nosuid,rw   0       0
Click to expand...

Why are you creating two tmps????
 
#chmod + sticky bit
chmod 0777 /tmp && chmod +t /tmp
Click to expand...
Best way is to chmod 1777, you got it right with 1 little command.

I wonder if it's possible to secure /tmp that way on a VPS system. I got 2 vps systems and this wouldn't work because of the fstab being rewritten after every boot.
 
Couldn't you recreate it manually as the last part of the boot process?

Jeff
 
As what I've been reading about this on the net, it's not possible with "loop" when that is missing or when your /etc/fstab is rewritten after every reboot or the remount command is not allowed.
I found also a thread here on DA:
http://forum.directadmin.com/showthread.php?t=29608&page=2
this might be of help.

Also I found this:
In a vps you need to secure /tmp manualy

You can do it by adding following entry in “/etc/fstab”
====
none /tmp tmpfs nodev,nosuid,noexec 0 0
====
save the file and reboot the VPS, now vps get mounted with “nosuid” and “noexec”

Also you can setup stickybit to /tmp -> chmod 1777 /tmp
Click to expand...
As you can see, the loop is not mentioned. It might be a solution too.
 
Last edited:
You must log in or register to reply here.
Back
Top